WIREDGOV

Cyber crime is indiscriminate and unpredictable, and poses a substantial threat to the UK’s national security.

Its impact is far reaching. It can lead to business closures, inaccessible public services, compromised customer data and substantial financial losses. According to recent reports by Sophos, the cost of recovery to victims of a ransomware attack has increased by 50% over the last year alone, and now stands at a staggering $2.73 million (£2.07 million).

It is absolutely crucial that organisations protect themselves from cyber criminals by taking proactive measures before, during and after an attack.
To that end, the National Crime Agency (NCA), Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) have joined forces to arm UK companies with the knowledge and support they require.

Today 5 September, the NCA and ICO signed a memorandum of understanding, reaffirming their commitment to providing information and guidance on cyber security matters, proactively assisting victims of cyber attacks, and promoting the reporting of cyber crime.

Both organisations will continue to work closely with the NCSC to make the UK more resilient in the face of a substantial, and growing, threat.
Explore some of the common myths around cyber crime, and find out more about the NCA, ICO and NCSC’s roles below.

Cyber security myths

It is crucial to address and dispel the many myths around cyber attacks. Organisations can only protect themselves if they are armed with the correct information.
We’ve explored a few key misconceptions below, but further information can also be found in the ICO and NCSC’s recent blog.

Myth 1: It’s better to keep quiet

Many organisations believe that if they stay silent, they can reduce the risk of liability or the likelihood of sanctions.

In fact, organisations have a legal responsibility – under data protection law, and the Network and Information Systems Regulations – to report incidents that meet a certain threshold. When considering enforcement action, the ICO takes into account a victim’s cooperation with the regulator and other bodies.

Cyber crime knows no boundaries and one incident can affect thousands of victims. If attacks are covered up, it’s the criminals who benefit. Reporting not only to protects your organisation. It helps other victims too.

Myth 2: There’s no help available

Reporting doesn’t just help us improve our understanding of the threat. It also connects victims to organisations who can provide vital guidance and expertise.

There’s a huge amount of assistance on offer, including tailored technical advice, the creation of secure communication channels, insight into an attacker’s possible motivations, and strategic advice on how to engage with the rest of government, regulators and the media. But organisations should report to get support.

Myth 3: You only have to report cyber incidents to one organisation

Cyber breach statistics show that many organisations aren’t contacting the relevant authorities when they experience cyber attacks.

Different incidents require different responses. You may have to notify several organisations.

There’s an easy way to figure out your next steps. Fill out the following online form to find out where to go: Where to Report a Cyber Incident - GOV.UK (www.gov.uk)

Reporting to the NCSC:

All cyber incidents that involve unauthorised access to an organisation’s systems should be reported to the NCSC.

There, they are triaged and categorised according to their severity and potential impact on the UK. Defence watch officers (DWOs) operate 24 hours a day, and pass on significant incidents to incident handlers, who provide direct support to the victim.

Reporting to Action Fraud:

Sometimes, a significant cyber incident can kickstart a UK criminal investigation.

If you have lost money, or require a law enforcement response, you should report the incident to Action Fraud.

From there, incidents will be passed to law enforcement, including the NCA, police forces or Regional Organised Crime Units (ROCUs), whose role it is to work with NCSC and the victim organisation to identify and remediate the attack, and then pursue those responsible where possible. Crime cannot be reported to the NCA directly.

Reporting to the ICO:

Cyber incidents often result in data breaches, which affect the confidentiality, integrity or availability of personal data.

Data breaches can affect individuals’ rights and freedoms, and can impact a company’s ability to operate.

Organisations are legally obliged to report any personal data breaches to the ICO within 72 hours of becoming aware of them, unless they can show that the breach is unlikely to pose a risk to individuals’ rights and freedoms.

This includes incidents that lead to the accidental or unlawful destruction of data, as well as those that lead to the alteration, unauthorised disclosure of, or access to, personal data.

Reporting to the Office of Financial Sanctions Implementation (OFSI):

Some criminals involved in ransomware attacks are subject to UK government sanctions. Payment to a designated person would constitute a breach of sanctions.

The OFSI is part of HM Treasury, and is in charge of the implementation of financial sanctions in the UK. Where you know or have reasonable cause to suspect that a breach of sanctions has occurred, this must be reported to the OFSI as soon as possible.

Myth 4: It’s impossible to know about cyber attacks until it’s too late.

There are always options available to an organisation experiencing a cyber attack, and support can be provided at all stages.

All UK organisations who hold a static IP address or domain name are encouraged to sign up to the NCSC’s free Early Warning service, which will alert them to potential threats before they become much bigger issues. The service provides an extra layer of defence for a network, and should complement, not replace, existing security controls.

If cyber attacks are being perpetrated by serious and organised cyber criminals, the NCA are occasionally aware of them before the victim. Our Triage, Incident Coordination and Tasking (TICAT) team issued 300 notifications in 2023, and 149 in the first three months of 2024.

Myth 5: Paying the ransom will retrieve the data

Some organisations decide to pay cyber criminals in an effort to retrieve their data.

However, this neither safeguards the data from future compromise, nor guarantees that the cyber criminals will remove it from their systems.

The NCA does not encourage, endorse or condone the payment of ransoms.

Recent NCA operations have revealed that cyber criminals often retain data, even after promising their victims that it has been deleted.

Earlier this year, the NCA took extensive action to destroy all stolen data held by the Lockbit ransomware group. Reporting a single cyber attack to law enforcement might allow us to support many more victims across the world.

Myth 6: The NCA and NCSC will share information with the regulator

The NCA and NCSC encourage organisations to be mindful of their regulatory obligations, but will never pass confidential information with the regulator without the victim’s permission.

Who are we?

The NCA’s role

The NCA role is to protect the UK public from serious and organised crime.

Our National Cyber Crime Unit (NCCU) leads, coordinates and supports the national law enforcement response to cyber crime. We also collaborate closely with the UK Intelligence Community, private industry, government and international partners to degrade the threat.

We support organisations who fall victim to cyber crime, and take action against those responsible. Our TICAT team are available 24/7, and can help businesses identify, remove and remediate the initial access/compromise. Where possible, we pursue criminal justice outcomes for cybercriminals, but our work also includes the use of alternative disruptions – sanctions, takedowns and the infiltration of criminal enterprises.

Recently, the NCCU led an international campaign to target the world’s most prolific ransomware group. Lockbit was behind more than 25% of all global attacks, and caused losses in the billions of pounds, dollars and euros, both in ransomware payments and in the costs of recovery. The group provided ransomware-as-a-service to a global network of hackers or “affiliates”, arming them with the tools and infrastructure required to carry out attacks. Read more about our operation here:

• The NCA announces the disruption of LockBit with Operation Cronos - National Crime Agency
• LockBit leader unmasked and sanctioned - National Crime Agency

The ICO’s role

The Information Commissioners’ Office (ICO) is the UK’s independent regulator for data protection and information rights law.

Their role is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The ICO recently issued a Notice of Intent (NOI) to fine Advanced Computer Software Group Ltd £6.09m, following an initial finding that the provider failed to implement measures to protect the personal information of 82,946 people, including some sensitive personal information.

The ICO’s recent Learning from Mistakes of Others report highlighted that many organisations are still failing to get the basics right in relation to cyber security.

The NCSC’s role

The National Cyber Security Centre (NCSC) is the UK’s technical authority for cyber.

The NCSC monitors incidents, provides early warnings, provides advice and guidance, conducts cyber threat assessments and provides technical support to the most critical organisations in the UK, the wider public sector, industry, SMEs and the general public.

The NCSC’s mission is to make the UK the safest place to live and work online.

Recently, the NCSC supported the general election effort, helping to secure the UK’s democratic process through the publication of a new collection of guidance and direct support of Parliamentarians.